Using the Apache HTTP Server as a forward proxy to the Internet

./configure --prefix=/usr/local/apache2 --enable-mods-shared="all" --enable-proxy=shared

Download $ lynx http://www.apache.org/dist/httpd/httpd-2_0_NN.tar.gz Extract $ gzip -d httpd-2_0_NN.tar.gz $ tar xvf httpd-2_0_NN.tar Configure $ ./configure --prefix=PREFIX Compile $ make Install $ make install Customize $ vi PREFIX/conf/httpd.conf Test $ PREFIX/bin/apachectl start

 

Often you do not want servers in your internal network segments to be able to access the Internet directly.
One way to get controlled access to the Internet is to place an Apache HTTP Server in a DMZ network segment. Internal servers can then use the Apache server as a forward proxy to the Internet.

It is easy to configure mod_proxy for this purpose. Here is an example.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

########################################################################## ## Internet proxy ########################################################################## Listen 10.10.10.1:8080    <VirtualHost 10.10.10.1:8080>    ProxyRequests On    SSLProxyEngine On       ProxyPass        /revoke https: //myca .com /revoke    ProxyPassReverse /revoke https: //myca .com /revoke       <Location />      Order Deny,Allow      Deny from all      Allow from 10.20.30.0 /29    < /Location > < /VirtualHost >

Only “ProxyRequests On” is needed for a proxy to work.

Applications that know how to communicate with a proxy can be configured to use 10.10.10.1 on port 8080.

You can for example configure a browser to use the proxy.

Not all applications know how to use a proxy. In some project they could not get the BEA AquaLogic Service Bus to use a proxy. I am not a developer so I don’t know the details and if it is still a problem with the OSB. To get around this you can use ProxyPass and ProxyPassReverse to proxy to specific sites.

Here it is possible to use http://10.10.10.1:8080/revoke/getRevokeList to get a certificate revocation list from a CA.

If you need to access sites via HTTPS you need “SSLProxyEngine On”. SSL will be terminated at the proxy and the communication from the internal network segment to the proxy is HTTP.

If anybody gets access to the proxy they will be able to access any site on the Internet masqueraded as you. If the wrong people get access, your site might end up being black listed because of their mischievous deeds. So it is important to limit the access to the proxy.

Here only servers in the PROD (10.20.30.0/29) network segment can use the proxy. Servers in the DMZ segment does not have access.

I assume that the firewall between the PROD and DMZ segments will only allow certain PROD servers to access the proxy.

Notice that you can also use the <Proxy> directive to configure your proxy.

Two-way SSL

It is also possible to get two-way SSL to work through a forward proxy. The certificates must be PEM-encoded and encrypted private keys is not supported. So it might take a bit of messing around to get it working.

Here is an example.

1 2 3 4 5 6 7 8 9 10 11

<VirtualHost 10.10.10.2:8080>     SSLProxyEngine On     SSLProxyVerify require     SSLProxyVerifyDepth 10        SSLProxyMachineCertificateFile /etc/httpd/conf/certs/my-machine-proxy .pem     SSLProxyCACertificateFile /etc/httpd/conf/certs/ca .pem        ProxyPass        / https: //someapp .com/     ProxyPassReverse / https: //someapp .com/ < /VirtualHost >

Google+